b"            OFFICE OF\n     THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\nTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH INTELLIGENCE REFORM\n AND TERRORISM PREVENTION ACT OF 2004\n  PROVISIONS REGARDING SECURITY OF\n SOCIAL SECURITY CARDS AND NUMBERS\n\n      May 2008      A-08-08-18058\n\n\n\n\nAUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:      May 21, 2008                                                                     Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Compliance with Intelligence Reform and\n           Terrorism Prevention Act of 2004 Provisions Regarding Security of Social Security\n           Cards and Numbers (A-08-08-18058)\n\n\n           OBJECTIVE\n\n           Our objective was to assess the Social Security Administration\xe2\x80\x99s (SSA) compliance with\n           certain provisions of the Intelligence Reform and Terrorism Prevention Act of 2004\n           (IRTPA) that involve the security of Social Security cards and numbers.\n\n           BACKGROUND\n           On December 17, 2004, President Bush signed IRTPA into law. 1 Section 7213(a)(1)(B)\n           of this law mandates that SSA establish minimum standards for the verification of\n           documents or records submitted by an individual to establish eligibility for an original or\n                                                                    2\n           replacement card, other than for enumeration at birth. Section 7213(b) requires that\n           SSA, in consultation with the Department of Homeland Security, form an interagency\n           task force 3 to further improve the security of Social Security cards and numbers. The\n           law further states that the Commissioner of Social Security should provide for the\n           implementation of security requirements, including 7213(b)(1) standards for\n           safeguarding cards from counterfeiting, tampering, alteration, and theft and 7213(b)(2)\n           requirements for verifying documents submitted for the issuance of replacement cards. 4\n\n\n\n\n           1\n               Public Law 108-458.\n           2\n            This section requires that SSA establish such standards not later than 1 year after the date of enactment\n           of this Act.\n           3\n             The interagency task force included representatives from SSA, the Department of Homeland Security,\n           the Federal Bureau of Investigation, the Department of State, and the Government Printing Office.\n           4\n            This section requires that SSA implement such requirements not later than 18 months after the date of\n           enactment of this Act.\n\x0cPage 2 - The Commissioner\n\n\nTo accomplish our objective, we contacted officials from SSA\xe2\x80\x99s Office of Income\nSecurity Programs and reviewed policies and procedures SSA established to comply\nwith IRTPA provisions regarding the security of Social Security cards and numbers. We\nalso reviewed reports regarding potential security enhancements to the Social Security\ncard. See Appendix A for additional information on our scope and methodology.\n\nRESULTS OF REVIEW\nBased on our interviews with SSA officials and a review of policies and procedures, we\ndetermined that SSA established minimum standards for verifying documents or\nrecords that applicants submit to establish eligibility for an original or replacement card.\nSSA also implemented numerous security features to enhance the integrity of Social\nSecurity cards. Although we are pleased with SSA\xe2\x80\x99s compliance with the IRTPA\nprovisions we reviewed, we believe the Agency should periodically assess these areas\nand enhance internal controls as needed to reduce the potential for improper SSN\nassignment and counterfeiting of Social Security cards.\n\nSSA Established Minimum Standards for Verifying Evidentiary Documents\n\nIRTPA mandates that SSA establish minimum standards to verify documents or records\nsubmitted by an individual to establish eligibility for an original or replacement card,\nother than for enumeration at birth. To comply with this provision, SSA established a\nlist of acceptable evidentiary documents, issued policy instructions, and trained field\noffice personnel on the minimum standards for document verification. 5 To help\napplicants understand the new IRTPA provisions, SSA also produced a fact sheet and\nrevised information brochures and pamphlets.\n\nWhen processing Social Security number (SSN) applications, SSA personnel first\ndetermine the applicant\xe2\x80\x99s age range. 6 Next, SSA policy instructs personnel to\ndetermine whether the applicant is a U.S. citizen or alien. Within each age range, SSA\nestablishes acceptable evidentiary documents for U.S. citizens and aliens. Under each\ncategory, SSA lists documents in two groups based on their relative probative value:\nprimary and secondary evidence. Primary evidence documents have the highest\nprobative value while secondary documents have lower probative value. 7\n\nFor adult U.S. citizens, primary evidence of identity includes a U.S. driver's license,\nU.S. State issued non-driver identity card, or U.S. Passport. 8 Acceptable secondary\n\n5\n SSA implemented this IRTPA provision in December 2005. After reviewing SSA\xe2\x80\x99s new document\nverification policies, the interagency task force agreed with the policies in place.\n6\n SSA classifies applicants\xe2\x80\x99 ages as follows: birth through age 5, ages 6 through 17, and ages 18 and\nolder.\n7\n Our July 2007 report, Field Office Use of the SS-5 Assistant (A-04-07-17026), found that replacement\nSSN card applicants provided primary evidence in about 91 percent of our sample cases.\n8\n    Program Operations Management System (POMS), section RM 00203.200E.6.\n\x0cPage 3 - The Commissioner\n\n\nevidence for adult U.S. citizens includes documents with less probative value, such as\nU.S. military identification cards, Certificates of Naturalization, Certificates of\nU.S. Citizenship, U.S. Government employee identification cards, non-Government\nidentification cards/badge cards, marriage documents, certified copies of medical\nrecords, health insurance or Medicaid cards, life insurance policies, and school identity\ncards or records. 9 SSA handles situations where no primary or secondary\ndocumentation exists or can be obtained by the applicant within 10 days 10 on a\ncase-by-case basis. SSA policy requires that personnel have their supervisor\ndetermine whether the other evidence of identity is acceptable. In such cases,\nsupervisors must consult with the SSA regional office. 11 SSA also instructs personnel\nto verify all evidentiary documents with the issuer when the documents do not appear\nauthentic.\n\nAlthough SSA considers security issues in formulating its policies relative to SSN\nassignment, it also considers public service and a wide range of factors. Among these\nare the need for virtually every U.S. citizen and many noncitizens to obtain an SSN, and\nthat not all card applicants are adults. Not every applicant, even if age 16 or older, has\na driver\xe2\x80\x99s license, State identification card, or other photograph identity document; and\nnot every applicant has more than one identity document that meets SSA\xe2\x80\x99s criteria. As\nsuch, these factors guided SSA\xe2\x80\x99s process for establishing priority lists of acceptable\ndocuments that establish identity and citizenship.\n\nAlthough SSA has established minimum standards for verifying evidentiary documents,\nwe believe it should periodically assess the probative value of these documents and\nupdate its list of acceptable documents, as needed. For example, if SSA field office\npersonnel determine certain acceptable evidentiary documents (for example, health\ninsurance cards or life insurance policies) have less probative value than originally\nthought, the Agency should no longer accept such documents. Periodically assessing\nthe probative value of evidentiary documents helps reduce the potential for SSA to\nimproperly assign SSNs.\n\nSSA Added Security Features to SSN Cards\n\nIRTPA requires that the Commissioner of Social Security, in consultation with the\nSecretary of Homeland Security, form an interagency task force to establish\nrequirements to further improve the security of Social Security cards and numbers.\nIRTPA also requires that the Commissioner provide for the implementation of security\nrequirements, including standards for safeguarding cards from counterfeiting,\ntampering, alteration, and theft. To comply with this provision and prepare for\ninteragency task force discussions, SSA contacted the Document Security Alliance, a\n\n9\n POMS, section RM 00203.200E.6. A marriage document is acceptable evidence of identity only when\nsubmitted as evidence for a legal name change.\n10\n     POMS, section RM 00203.200E.2d.\n11\n     POMS, section RM 00203.200E.2.e.\n\x0cPage 4 - The Commissioner\n\n\ngroup of experts on document security, in October 2005 to develop a Whitepaper with\nrecommendations for a more secure SSN card. From January through April 2006, the\ninteragency task force met to discuss options for a more secure SSN card and used the\nWhitepaper recommendations as a basis for discussion. 12 The task force issued its\nfinal report, which outlined its recommendations to the Commissioner, 13 in May 2006.\n\nSSA implemented six overt and various covert security features to the SSN card.\nBecause SSN card features are used in forensic analysis of counterfeit documents, we\nwithheld descriptions of the covert changes. The six overt changes were as follows.\n\n\xe2\x80\xa2    The card issuance date was added to the front of each SSN card.\n\n\xe2\x80\xa2    Signing instructions were added to the perforated card attachment. The instructions\n     state \xe2\x80\x9cADULTS: Sign this card in ink immediately. CHILDREN: Do not sign until age\n     18 or your first job, whichever is earlier.\xe2\x80\x9d\n\n\xe2\x80\xa2    A guilloche background pattern, which is a unique, non-repeating spiral design,\n     replaced the existing marbleized pattern. The new pattern is similar in color to the\n     past background and continues to have the security feature of being erasable. 14\n     This background is computer-generated and difficult to duplicate.\n\n\xe2\x80\xa2    A latent image was added to the SSN card face. This feature, a text image, is\n     visible only when the document is viewed at specific angles.\n\n\xe2\x80\xa2    A split fountain production method was added that produces a unique ink color\n     mixture on the press that transfers to the paper. The colors on the background of\n     the card flow from blue to aqua.\n\n\xe2\x80\xa2    Color shifting inks were added to the face of the card. These inks have a multilayer\n     light interference ink pigment imbedded that creates a noticeable color shift when\n     moved in front of a light source. This feature is also used in currency.\n\n\n\n\n12\n   The Formulation and Definition of Minimum Card Security Standards for the SSA, Document Security\nAlliance, April 2006.\n13\n   Final Report: Issued by the Interagency Task Force formed to carry out Section 7213(b) of the\nIntelligence Reform and Terrorism Prevention Act of 2004, May 2006.\n14\n  An erasable ink background is a security feature because it reveals an attempt at ink and toner removal.\nThis damage to the card is an overt indicator of an attempt to tamper with or alter the card.\n\x0cPage 5 - The Commissioner\n\n\nIn addition to the above IRTPA changes, SSA implemented a change in response to\nrequests from employer groups to distinguish the last name of the individual on the\nSSN card. As a result, beginning in September 2007, the individual\xe2\x80\x99s last name was\ndisplayed on a separate line on the card directly below the first and middle name.\n\nSSA was aware of the various options for a new SSN card (ranging from no card at all\nto a new ultra-secure card containing biometric features) and the various purposes it\ncould serve. However, in determining the scope for the task force deliberations, SSA\nconsidered existing legal requirements, national debate over immigration reform, and\n                                 15\nthe passage of the REAL ID Act.\n\nSpecifically, the Social Security Act 16 mandates that the SSN card \xe2\x80\x9cshall be made of\nbanknote paper.\xe2\x80\x9d In addition, the Commissioner cannot require enumerated individuals\nto apply for a new SSN card. Requiring that every cardholder obtain a new card would\nbe a multi-billion dollar effort.\n\nAlso, SSA determined it would not introduce a new SSN card with enhanced workplace\nenforcement features while the immigration reform debate was ongoing between\nCongress and the Nation. Finally, in passing the REAL ID Act, Congress provided the\nNation with a framework for reliable identity documents in the form of State-issued\ndriver\xe2\x80\x99s licenses and identification cards. This legislation seemed to diminish the need\nfor a new type of SSN card to serve a similar purpose. Based on these factors, SSA\ndecided it would continue to produce SSN cards on banknote paper and issue the new,\nmore secure, cards prospectively (to anyone applying for an original or replacement\ncard after IRTPA enactment).\n\nAlthough SSA has added security features to SSN cards, we believe it should\nperiodically examine potential threats to counterfeiting of SSN cards and make security\nenhancements, as needed. For example, as technology improves, SSA should conduct\nongoing threat assessments to examine the ease of counterfeiting and to respond to\nsuch threats timely. Periodically examining potential threats to the SSN card helps\nreduce the potential for counterfeiting, tampering, alteration, and theft.\n\n\n\n\n15\n     Public Law 109-13.\n16\n  Social Security Amendments of 1983, Public Law 98-21 \xc2\xa7 345, see also The Social Security Act\n\xc2\xa7 205(c)(2)(G), 42 U.S.C. \xc2\xa7 405(c)(2)(G).\n\x0cPage 6 - The Commissioner\n\n\nCONCLUSION AND RECOMMENDATIONS\nAs SSA continues to enhance SSN integrity, opportunists will continue to look for ways\nto exploit vulnerabilities in the Agency\xe2\x80\x99s controls. As such, SSA must continually\nassess and examine its policies and procedures to safeguard Social Security cards and\nnumbers.\n\nAccordingly we recommend that SSA periodically:\n\n1. Assess the probative value of documents it allows as evidence of identity and U.S.\n   citizenship and update its list of acceptable documents as needed to safeguard the\n   assignment of SSNs.\n\n2. Examine potential threats to SSN cards and make security enhancements as\n   needed to better prevent counterfeiting, tampering, alteration, and theft.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in\nAppendix B.\n\n\n\n\n                                              Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Scope and Methodology\nAPPENDIX B \xe2\x80\x93 Agency Comments\nAPPENDIX C \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                      Appendix A\n\nScope and Methodology\nTo accomplish our objectives, we\n\n\xe2\x80\xa2   reviewed applicable laws and Social Security Administration (SSA) policies and\n    procedures related to the implementation of Intelligence Reform and Terrorism\n    Prevention Act of 2004 provisions regarding the security of Social Security cards\n    and numbers;\n\n\xe2\x80\xa2   contacted officials from SSA\xe2\x80\x99s Office of Income Security Programs;\n\n\xe2\x80\xa2   reviewed a Whitepaper and interagency task force final report regarding the security\n    of Social Security cards and numbers; and\n\n\xe2\x80\xa2   attended a Government Printing Office meeting to learn about the security\n    enhancements made to the Social Security card.\n\nThe SSA entity reviewed was the Office of the Deputy Commissioner for Retirement\nand Disability Policy. We performed our audit in Baltimore, Maryland, and Birmingham,\nAlabama, from September through December 2007. We conducted this performance\naudit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\x0c                  Appendix B\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      April 30, 2008                                                        Refer To:   S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      David V. Foster /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cSSA's Compliance with the Intelligence\n           Reform and Terrorism Prevention Act of 2004 Provisions Regarding Security of Social Security\n           Cards and Numbers\xe2\x80\x9d (A-08-08-18058)--INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our response to the report findings and\n           recommendations are attached.\n\n           Please let me know if we can be of further assistance. Staff inquiries may be directed to\n           Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         B-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cSSA'S COMPLIANCE WITH THE INTELLIGENCE REFORM AND\nTERRORISM PREVENTION ACT OF 2004 PROVISIONS REGARDING SECURITY\nOF SOCIAL SECURITY CARDS AND NUMBERS\xe2\x80\x9d (A-08-08-18058)\n\n\nThank you for the opportunity to review and comment on the draft report. We are pleased that\nthis report acknowledges our overall compliance with the Social Security number (SSN) and card\nprovisions contained in the Intelligence Reform and Terrorism Prevention Act of 2004\n(P.L. 108-458). Specifically, the report recognizes that we established minimum standards for\nverifying documents or records that applicants submit to establish eligibility for an original or\nreplacement card and that we implemented the interagency task force recommendations to further\nstrengthen and safeguard the number and card from counterfeiting, tampering, alteration, and\ntheft. Our responses to the specific recommendations are provided below.\n\nRecommendation 1\n\nAssess the probative value of documents we allow as evidence of identity and United States\ncitizenship and update its list of acceptable documents as needed to safeguard the assignment of\nSSNs.\n\nResponse\n\nWe agree. We will continue to review the probative value of the documents we allow as\nevidence of identity and United States citizenship, and update the list of acceptable documents as\nneeded to safeguard the assignment of SSNs.\n\nRecommendation 2\n\nExamine potential threats to SSN cards and make security enhancements as needed to better\nprevent counterfeiting, tampering, alteration, and theft.\n\nResponse\n\nWe agree. We continually evaluate new technology as it becomes available and examine any\npotential threats to the integrity of the physical SSN card, in order to take the appropriate\nmeasures needed to address any vulnerability.\n\n\n\n\n                                               B-2\n\x0c                                                                     Appendix C\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly A. Byrd, Director, Birmingham Audit Division, 205-801-1650\n\n   Jeff Pounds, Audit Manager, Birmingham Office, 205-801-1606\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Hollie Reeves, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-08-08-18058.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                     Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of\nInvestigations (OI), Office of the Chief Counsel to the Inspector General (OCCIG), Office of External\nRelations (OER), and Office of Technology and Resource Management (OTRM). To ensure compliance\nwith policies and procedures, internal controls, and professional standards, the OIG also has a\ncomprehensive Professional Responsibility and Quality Assurance program.\n                                            Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs\nand operations and makes recommendations to ensure program objectives are achieved effectively and\nefficiently. Financial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial\nposition, results of operations, and cash flow. Performance audits review the economy, efficiency, and\neffectiveness of SSA\xe2\x80\x99s programs and operations. OA also conducts short-term management reviews and\nprogram evaluations on issues of concern to SSA, Congress, and the general public.\n                                       Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and\noperations. This includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA\nemployees performing their official duties. This office serves as liaison to the Department of Justice on\nall matters relating to the investigation of SSA programs and personnel. OI also conducts joint\ninvestigations with other Federal, State, and local law enforcement agencies.\n                    Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCCIG also advises the IG on investigative procedures\nand techniques, as well as on legal implications and conclusions to be drawn from audit and investigative\nmaterial. Also, OCCIG administers the Civil Monetary Penalty program.\n                                    Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news\nreleases and in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media\nand public information policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the\nprimary contact for those seeking information about OIG. OER prepares OIG publications, speeches,\nand presentations to internal and external organizations, and responds to Congressional correspondence.\n                       Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also\ncoordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In\naddition, OTRM is the focal point for OIG\xe2\x80\x99s strategic planning function, and the development and\nmonitoring of performance measures. In addition, OTRM receives and assigns for action allegations of\ncriminal and administrative violations of Social Security laws, identifies fugitives receiving benefit\npayments from SSA, and provides technological assistance to investigations.\n\x0c"